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new Case 


ICO consultation on the draft right of access 
guidance 


Q1 


Does the draft guidance cover the relevant issues about the right of access? 
© Yes 
©) No 

©) Unsure / don't know 

If no or unsure/don’t know, what other issues would you like to be covered in it? 


Q2 


Does the draft guidance contain the right level of detail? 


© Yes 
©) No 

©) Unsure / don't know 

If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


Q3 


Does the draft guidance contain enough examples? 
© Yes 
—) No 

©) Unsure / don't know 

If no or unsure/don’t know, please provide any examples that think should be included in 
the draft guidance. 


Q4 


Q5 


We have found that data protection professionals often struggle with applying and defining ‘manifestly 
unfounded or excessive’ subject access requests. We would like to include a wide range of examples 
from a variety of sectors to help you. Please provide some examples of manifestly unfounded and 
excessive 

requests below (if applicable). 


Thank you for the opportunity to comment on the draft Subject Access Request (SAR) Guidance. The 
following response from the Pension Scams Industry Group (PSIG), responsible for the Code of 
Practice on Combating Pension Scams (http://www.combatingpensionscams.org.uk/), expands on a 
growing concern within the pensions industry and wider financial services sector around the abuse of 
SARs by claims management companies. This is something that has 
already spoken to the ICO about and, in our response, we reiterate our calls for guidance to explicitly 
cover the issue of SARs being used for an improper purpose, and what the rights of data controllers in 
these circumstances. In more detail, the GDPR recitals are instructive; i.e. the right of access is for 
individuals to be aware of, and verify, the lawfulness of the processing. We have, however, 
experienced and been made aware of the growing practice of SARs being used in a manner contrary 
to the substantive policy intention; i.e. for, often highly speculative, claims purposes rather than 
awareness and verification of lawfulness of processing. According to page 3 of the draft SAR 
guidance: The right of access, commonly referred to as subject access, gives individuals the right to 
obtain a copy of their personal data from you, as well as other supplementary information. It is a 
fundamental right for individuals. It helps them understand how and why you are using their data, 
and check you are doing it lawfully. If this is the core purpose, then we know of one independent 
trustee firm, heavily involved in the fight against pension scams, that has stated 95% of their SARs 
(with 858 requests received since 2018) run contradictory to this principle. The same firm provided 
a real life example of the potential for SARs being mis-used as mentioned above. A member of a 
pension scheme who had been a victim of a pension scam contacted us by phone. We were appointed 
independent trustees to the 'scam-scheme' to try and recover funds for the members. She was cold 
called recently by a known claims company. Whilst it was unclear whether she misunderstood what 
they actually said, she told us that they asked for her benefits ‘to be transferred to them’. The 
claims company were looking to take 25%, and stated that they would ‘get her money back’. She got 
confused as she understood that she cannot access her funds from the scheme. The trustee explained 
why it is more likely that the claims company would be making a claim for compensation, using SARs, 
as opposed to recovery. The member was then very concerned with the nature of the cold call and 
how they got a hold of her data. The claims company also already knew how much she had 
transferred. The independent trustee explained its various concerns, and explained her rights under 
GDPR. In this case, the called concluded with the member asking that the trustee make a note on file 
not to share her data with anyone without her consent. Turning to page 11 of the draft guidance, 
another tactic is to get members to make General Data Protection Regulation (GDPR) Data Subject 
Access Requests (DSARs). Those subject to a DSAR will need to ensure they comply and take advice 
as deemed necessary. However, consideration can be given as to whether every document request 
properly falls within the scope of a DSAR. In some cases, a claims management company might 
attempt to obtain disclosure to which it is not entitled. For example, due diligence undertaken in 
looking into the prospective receiving scheme, which might prove extensive, need not be disclosed 
under a DSAR if the member concerned is not specifically identifiable from it and if that due diligence 
could just as easily relate to a transfer request made by another member. By contrast, any 
conclusions reached from that due diligence and relayed to the specific member might well fall to be 
provided. It is possible to redact information that has been gathered in the prevention of financial 
crime. This could apply to due diligence that highlights any suspicions, in order to avoid possible 
tipping off. At the moment, the purpose of SARs for 'claims purposes' is directly spoken about not 
once in the entire draft guidance and yet the risks are very real. The scope and jeopardy of such 
requests is, we feel, vastly underestimated. In consequence, we would like to ask for the sections in 
the draft guidance on “How do we recognised a subject access request (SAR)?”; “What should we 
consider when responding to a request?”; and “When can we refuse to comply with a request?” to be 
expanded to address the ‘mischief’ identified in this response. For completeness, we would also point 
out that, under DPA 2018, there is a regulation making power under the provisions on “Restrictions 
on data subject's rights” (sections 15 and 16) that would allow further exemptions to be introduced 
on DSARs. 


On a scale of 1-5 how useful is the draft guidance? 


1-Notatall 2-Slightly Moderately 4-—Very 5-Extremely 
useful useful useful useful useful 


© 


Q6 Why have you given this score? 


See comments at Q4. The guidance is good but more is needed to address the 
improper use of SARs. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Neither agree Strongly 
disagree Disagree nor disagree Agree agree 


© 


Q8 


Q9 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


See Q4 


Are you answering as: 

( D An individual acting in a private capacity (eg someone providing their views as a member of the public) 
C) An individual acting in a professional capacity 

© On behalf of an organisation 

() Other 

Please specify the name of your organisation: 

Pension Scams Industry Group 


What sector are you from: 
Financial Services 


Q10 How did you find out about this survey? 
©) ICO Twitter account 
(C) ICO Facebook account 
©) ICO LinkedIn account 
C) ICO website 
\_) ICO newsletter 
(_) ICO staff member 
©) Colleague 
(`) Personal/work Twitter account 
( _) Personal/work Facebook account 
() Personal/work LinkedIn account 
“` Other 
If other please specify: 


